IT AUDIT Chapter one

Auditing Standards for Information Systems Auditing

The specialized nature of Information Systems auditing and the professional skills and credibility necessary to perform such audits, require standards that would apply specifically to IS auditing.

Standards, procedures and guidelines have been issued by various institutions, which discuss the way the auditor should go about auditing Information Systems.

In line with such developments Supreme Audit Institution of India for instance, has declared a mission to adopt and evolve standards, guidelines and best practices for auditing in a computerized environment. This will lend credibility and clarity in conducting audit in computerized environment.

The framework for the IS Auditing Standards provides multiple levels of guidance. Standards provide a framework for all audits and auditors and define the mandatory requirements of the audit. They are broad statement of auditors' responsibilities and ensure that auditors have the competence, integrity, objectivity and independence in planning, conducting and reporting on their work. Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure. Procedures provide examples of procedures an IS auditor might follow in an audit engagement. It provides information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS Auditing Guidelines and Procedures is to provide further information on how to comply with the IS Auditing Standards.

While conducting Information System Audit the auditor should consider the issues of confidentiality, integrity and availability (CIA) and his work should be guided by international or respective national standards. These may include INTOSAI Auditing Standards, International Federation of Accountants (IFAC) Auditing Standards, and International standards of professional audit institutions such as Information Systems Audit and Control Association (ISACA) and Institute of Internal auditors (IIA) and national auditing standards of SAI member countries.

ISACA IS Auditing Standards and Guidelines and Code of Professional Ethics

Information Systems Audit and Control Association (ISACA) has laid down the following generic requirements for IS audit which are applicable to all categories of IS audits -1. The responsibility, authority and accountability of the information systems audit function are to be appropriately documented in an audit.

2. The information systems auditor is to be independent of the auditee in attitude and appearance.

3. The information systems auditor is to adhere to the 'Code of Professional Ethics'. Due professional care and observance of applicable professional auditing standards are to be exercised.

4. The information systems auditor is to be technically competent, having the skills and knowledge necessary to perform the auditor's work and has to maintain technical competence through continuing professional education.

5. The information systems auditor is to plan his work to address the audit objectives.

6. Information systems audit staff is to be appropriately supervised so as to ensure that audit objectives and applicable professional auditing standards are met. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of sufficient, reliable, relevant and useful evidence.

7. The information systems auditor is to provide a report, in an appropriate form, to intended recipients upon the completion of audit work.

8. The information systems auditor follow-up action timely taken on previous relevant findings.

CONTROL OBJECTIVES FOR INFORMATION RELATED TECHNOLOGY (COBIT)

The Information Systems Audit and control Foundation (ISACF) developed the Control Objectives for Information and related Technology (COBIT). COBIT is a framework of generally applicable information systems security and control practices for IT control. The framework allows

(1) Management to benchmark the security and control practices of IT environments,

(2) Users of IT services to be assured that adequate security and control exist, and

(3) Auditors to substantiate their opinions on internal control and to advise on IT security and control matters. 1. Business Objectives. To satisfy business objectives, information must conform to certain criteria that COBIT refers to as business requirements for information. The criteria are divided into seven distinct yet overlapping categories that map into the COSO objectives: effectiveness (relevant, pertinent, and timely), efficiency, confidentiality, integrity, availability, compliance with legal requirements, and reliability.

2. IT resources, while include people, application systems, technology, facilities, and data.

3. IT processes, which are broken into four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring.

COBIT, which consolidates standards from 36 different sources into a single framework, is having a big impact on the information systems profession. It is helping managers learn how to balance risk and control investment in an information system environment. It provides users with greater assurance that the security and IT controls provided by internal and third parties are adequate. It guides auditors as they substantiate their opinions and as they provide advice to management on internal controls.

INFORMATION SYSTEMS CONTROL TECHNIQUES

The basic purpose of information system controls in an organization is to ensure that the business objectives are achieved and undesired risk events are prevented or detected and corrected. This is achieved by designing an effective information control framework, which comprise policies, procedures, practices, and organization structure that gives reasonable assurances that the business objectives will be achieved. When reviewing a client's control systems, the auditor will be able to identify three components of internal control. Each component is aimed at achieving different objectives. The information system auditor will be most familiar with:

1. Accounting controls, i.e. those controls which are intended to safeguard the client's assets and ensure the reliability of the financial records; 2. Operational controls: These deal with the day to day operations, functions and activities to ensure that the operational activities are contributing to business objectives;

3. Administrative controls: These are concerned with ensuring efficiency and compliance with management policies, including the operational controls.

Auditor's categorisation of controls

When we look at financial or accounting controls we examine them to see if they reduce the likelihood of the financial statements containing material errors. We put the controls into categories depending on when they act. We categorise the controls into following four groups:

1. Preventive Controls: Preventive controls are those inputs, which are designed to prevent an error, omission or malicious act occurring. An example of a preventive control is the use of passwords to gain access to a financial system. Compensatory Controls: Controls are basically designed to reduce the probability of threats, which can exploit the vulnerabilities of an asset and cause a loss to that asset. While designing the appropriate control one thing should be kept in mind-the cost of the lock should not be more than the cost of the assets it protects. Sometimes while designing and implementing controls, organizations, because of different constraints like financial, administrative or operational, may not be able to implement appropriate controls. In such a scenario, there should be adequate compensatory measures which may although not be as efficient as the appropriate control, can indubitably reduce the probability of threats to the assets. Such measures are called compensatory controls.

Audit Trails:

Audit trails are logs that can be designed to record activity at the system, application, and user level. When properly implemented, audit trails provide an important detective control to help accomplish security policy objectives. Many operating systems allow management to select the level of auditing to be provided by the system. This determines which events will be recorded in the log. An effective audit policy will capture all significant events without cluttering or messing the log with trivial activity. Audit Trail Objectives: Audit trails can be used to support security objectives in three ways: a. Detecting unauthorized access to the system, b. Facilitating the reconstruction of events, and c. Promoting personal accountability.

Detecting Unauthorized Access:

Detecting unauthorized access can occur in real time or after the fact. The primary objective of real-time detection is to protect the system from outsiders who are attempting to breach system controls. A real-time audit trail can also be used to report on changes in system performance that may indicate infestation by a virus or worm. Depending upon how much activity is being logged and reviewed; real-time detection can impose a significant overhead on the operating system, which can degrade operational performance. Afterthe-fact detection logs can be stored electronically and reviewed periodically or as needed. When properly designed, they can be used to determine if unauthorized access was accomplished, or attempted and failed.

Reconstructing Events:

Audit analysis can be used to reconstruct the steps that led to events such as system failures, security violations by individuals, or application processing errors. Knowledge of the conditions that existed at the time of a system failure can be used to assign responsibility and to avoid similar situations in the future. Audit trail analysis also plays an important role in accounting control. For example, by maintaining a record of all changes to account balances, the audit trail can be used to reconstruct accounting data files that were corrupted by a system failure.

Personal Accountability:

Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a preventive control that can be used to influence behavior.

Individual are likely to violate an organisation's security policy if they know that their actions are not recorded in an audit log.

User Controls:

Validity of computer application systems output lies ultimately with the user.

The user is responsible for data submission and for correction of errors that are the result of inaccurately submitted data. User controls over data being processed should include: a. User instruction manuals defining responsibilities and actions; b. Input controls that identify all data entering the processing cycle; c. Processing control information that includes edits, error handling, audit trails and master file changes;

d. Output controls that define how to verify the correctness of the reports; e. Separation of duties between preparing the input and balancing the output 1.9 Error Correction: Identify all data and processing errors that can be identified, either through edits or routine processing. It also determine the impact data and processing errors have on processing (errors must be corrected before processing continues, errors are segregated from processing so good transactions may continue to be processed while errors are corrected); an exception report generated for long-outstanding error transactions, with an aging analysis?

Risk-Based IS Audit Strategy and Objectives

One of the significant challenges facing auditors today is what to audit. The tighter integration of information systems and business processes, and the continued complexity of these systems, combined with limited resources and the ever-increasing pace of business, make auditing everything an impossible task. One of the techniques that management and auditors can use to allocate limited audit resources is a risk-based audit approach. The risk-based audit approach helps ensure that appropriate levels of protection are applied to information assets.

A benefit of the risk-based approach to audit planning is that auditing resources are allocated to the areas of highest concern. Aligning Controls with the Organization's Business Objectives IT governance provides structure to functions and processes within the IT organization. Because of the critical dependency of business on its information systems, the governance structure must ensure that the IT organizational strategy is aligned with the business strategy. The implementation of the IT strategy will help ensure that IT processes contain the necessary controls to reduce risk to the organization and its business objectives. IT resources should be used responsibly, and IT risks should be managed appropriately.

Steering Committee

The organization should have an IT steering committee to ensure that the IS department's strategy directly aligns with the organization's corporate mission and objectives and efficient use of IT resources. The IT steering committee is a formal organization usually composed of senior managers representing the business areas, with duties outlined in a charter. The charter outlines what authority and responsibilities are assigned to the committee and are a strong indicator that senior management supports the steering committee. One of the functions of the IT steering committee is to keep detailed minutes of the meeting, to document both procedural functions of the committee and its decisions. The committee is responsible for ensuring that the organization's leadership (board of directors and senior management) is informed in a timely manner via the minutes and additional reporting, if required.

Segregation of Duties

Segregation of duties is an important means by which fraudulent or malicious acts can be discouraged or prevented. A common example of improper segregation of duties is allowing a single person within operations or the help desk to have the responsibility of ordering hardware/software, receiving and managing asset or inventory control. This type of structure could allow a single person to order and receive IT equipment without adding it to the assetcontrol system and, therefore, creates the opportunity for theft of equipment. In small organizations in which proper segregation of duties is not possible, the IT department must set up compensating controls. In this instance, the IT department could institute a daily/weekly review of all orders by a manager, to ensure that equipment is being added to the asset-control system.